General
Target

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

Filesize

219KB

Completed

24-01-2022 00:49

Task

behavioral1

Score
10/10
MD5

3d57a5f5b5cf01b8ff1867d8a004090f

SHA1

5cc7fc1da338ec10ae1d59b0296697d57cbc21b6

SHA256

ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9

SHA256

8a71c0d733738a6e2e3ea1fcb939cff18619a5733866b1ada145af4a14a597f494352a459d2212e2fcd8873da4d68bcdd972fe4de7339625ce8ebb29ebef6253

Malware Config

Extracted

Path

C:\ol215ll-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion ol215ll. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8A3362DC28EB2F3A 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/8A3362DC28EB2F3A Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: Md00XppC313bRFkPTNxrwcwDuLNuLaM0N/mTGJtBAJVxUdjMaO6kiXP6Sirn19Zy N242YKf90MlCujkjg3mGSkC4jj6pCo7gKjZfN+v4v3hLoL3FtY6TW1fKFbwy3QYB gTIMbxrNNV+9hwfOXI7NnzWRJDIZRYHI4fE1l1/T9978dpkq/sTU5b5wpAzp/9TI Eb7RM0c9U+tf5eP9OE9iAo5l+/1Zr0FUSeYuTnPEqswBc5mVFG49m1VH9GrpdT0n ll5wU3HR/mSWZbndTuPoXMrHHfl9nbsOB0iui4SNMMzrET8tGUF3bsJIbIgv3hrj mZPIRbvsiLnaZVjAa6kfDwdE7CCSVD8dJmOGIv8GsqAjpfxCq/eiSRSYoG1NwcQy zBIETxWWwP0e2vZyy3Gmr5jBGTRiWqAbNZwC2GOi2TcOiQkjwHiJ6y1rbRjfhAm4 DAi+vVj8uT2+AsZNKx/9dWwDkkXiKLPxGpeaqCQ1jVSai9GfgbVH4h61y/3BRLCr wofgWxRKJJc44P30+k7BWzNRCpjEvLBcLd0CmJxrVFysBbfgBVRMYfjcEyzLxppI y0QqrjJcrRrSPWFeopgVWMyYfr4HIHxlpQ0IIPc+SbWQ6WJ0KzusjXaEUHIAg7UP C9tcEmza8fHsfBWE2dhr1adBl7BIsvUHnd/1StLd2puRv9eeY4xDZalU4MlLt6pb xSl0ou1rQlTgrUcLRCjCfQr9wkqLk34Zr9Dq/D/Aacj1o1NWR2I6E57Q3WAP56NU Qk9p9GIRPhyCoWl24OxV2/lGvREIdly83ZVbMGQS8MoedTselbUGlbC0C1GkjH3G OxuOiK31qC7L4bS1wIr1sLG1bI4jz5y1Jeb+M8UQH8WPnYUi/QKddEf2XurRkqXv Z01sdSNmW5bfQqOlXOVFTyRlZJqy/TcQDI7q9Jy2HtEHQHRPt3Z23xTTSW1ctwmT 0ILg58Y33byoXFrMVl3fdElS1vyqHrELR5dC5WJM3ZlK5g9txH2CMMDgBiu5utnO gg6+nUKQhxy3Z8NkysIKQKIpuTY3GnhBYZNmQGRigJ1Z9fW266BdoCQZg27XXVNz dC8vAeljZKnHlIgbRR9AfFYsyuRLmToyemNO+qhfXdOkHrAPxq0HOGkXq/Y+teCZ 5Kw= Extension name: ol215ll ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/8A3362DC28EB2F3A

http://decryptor.top/8A3362DC28EB2F3A

Extracted

Family

sodinokibi

Botnet

19

Campaign

96

C2

speiserei-hannover.de

delegationhub.com

subyard.com

martha-frets-ceramics.nl

hostastay.com

luvbec.com

dayenne-styling.nl

111firstdelray.com

lidkopingsnytt.nu

fbmagazine.ru

peppergreenfarmcatering.com.au

ya-elka.ru

mundo-pieces-auto.fr

mediabolmong.com

yuanshenghotel.com

fidelitytitleoregon.com

penumbuhrambutkeiskei.com

2020hindsight.info

aslog.fr

teethinadaydentalimplants.com

baumfinancialservices.com

business-basic.de

awaitspain.com

apiarista.de

moira-cristescu.com

reizenmetkinderen.be

min-virksomhed.dk

altocontatto.net

etgdogz.de

beandrivingschool.com.au

kvetymichalovce.sk

breathebettertolivebetter.com

fla.se

rentingwell.com

iron-mine.ru

hinotruckwreckers.com.au

endlessrealms.net

matteoruzzaofficial.com

signamedia.de

dreamvoiceclub.org

parksideseniorliving.net

redpebblephotography.com

palmenhaus-erfurt.de

omnicademy.com

spartamovers.com

catering.com

from02pro.com

kryddersnapsen.dk

rvside.com

mike.matthies.de

Attributes
net
true
pid
19
prc
tbirdconfig
onenote
sqlbrowser
firefoxconfig
ocautoupds
ocssd
thebat
winword
mspub
dbeng50
steam
sqlwriter
sqlservr
msftesql
encsvc
infopath
mysqld_nt
sqlagent
mydesktopqos
synctime
wordpad
powerpnt
outlook
dbsnmp
isqlplussvc
ocomm
sqbcoreservice
oracle
thunderbird
xfssvccon
excel
mydesktopservice
msaccess
mysqld_opt
mysqld
agntsvc
thebat64
visio
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} Extension name: {EXT} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
96
svc
veeam
backup
sql
mepocs
sophos
svc$
vss
memtas
Signatures 23

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Impact
Persistence
  • Detect Neshta Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00070000000125f4-62.datfamily_neshta
    behavioral1/files/0x00070000000125f4-63.datfamily_neshta
    behavioral1/files/0x0001000000010248-67.datfamily_neshta
    behavioral1/files/0x0001000000010495-66.datfamily_neshta
    behavioral1/files/0x0001000000010499-65.datfamily_neshta
    behavioral1/files/0x000100000001024a-68.datfamily_neshta
    behavioral1/files/0x000100000000f6af-69.datfamily_neshta
    behavioral1/files/0x000100000000f71f-70.datfamily_neshta
    behavioral1/files/0x000100000000f71f-72.datfamily_neshta
    behavioral1/files/0x000100000001194d-74.datfamily_neshta
    behavioral1/files/0x0001000000010309-76.datfamily_neshta
    behavioral1/files/0x000100000001194d-75.datfamily_neshta
    behavioral1/files/0x00010000000105cf-77.datfamily_neshta
    behavioral1/files/0x000100000001137d-78.datfamily_neshta
    behavioral1/files/0x000100000001152e-79.datfamily_neshta
    behavioral1/files/0x0001000000010e77-80.datfamily_neshta
    behavioral1/files/0x0001000000010efd-81.datfamily_neshta
    behavioral1/files/0x000100000001183b-83.datfamily_neshta
    behavioral1/files/0x0001000000010efd-82.datfamily_neshta
    behavioral1/files/0x0002000000010fb3-84.datfamily_neshta
    behavioral1/files/0x0002000000010fb3-85.datfamily_neshta
    behavioral1/files/0x000100000001194a-86.datfamily_neshta
    behavioral1/files/0x0001000000011a54-87.datfamily_neshta
    behavioral1/files/0x0001000000011a8f-90.datfamily_neshta
    behavioral1/files/0x00010000000111a7-89.datfamily_neshta
    behavioral1/files/0x0001000000011a54-88.datfamily_neshta
    behavioral1/files/0x00010000000111bb-91.datfamily_neshta
    behavioral1/files/0x00010000000111bb-92.datfamily_neshta
    behavioral1/files/0x0003000000011fe5-93.datfamily_neshta
    behavioral1/files/0x0003000000011fea-95.datfamily_neshta
    behavioral1/files/0x0003000000011fe5-94.datfamily_neshta
    behavioral1/files/0x0009000000005726-98.datfamily_neshta
    behavioral1/files/0x0004000000005694-96.datfamily_neshta
    behavioral1/files/0x000300000000597e-97.datfamily_neshta
  • Modifies system executable filetype association
    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

    TTPs

    Modify RegistryChange Default File Association

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Sodin,Sodinokibi,REvil

    Description

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Sodinokibi/Revil sample

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x00070000000125df-56.datfamily_sodinokobi
    behavioral1/files/0x00070000000125df-57.datfamily_sodinokobi
    behavioral1/files/0x00070000000125df-58.datfamily_sodinokobi
    behavioral1/files/0x00070000000125df-60.datfamily_sodinokobi
    behavioral1/files/0x00070000000125df-61.datfamily_sodinokobi
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE
    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exesvchost.com

    Reported IOCs

    pidprocess
    268ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    284svchost.com
  • Modifies extensions of user files
    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\PushSuspend.raw => \??\c:\users\admin\pictures\PushSuspend.raw.ol215llee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\admin\pictures\RepairUnprotect.tiffee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File renamedC:\Users\Admin\Pictures\RepairUnprotect.tiff => \??\c:\users\admin\pictures\RepairUnprotect.tiff.ol215llee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File renamedC:\Users\Admin\Pictures\RevokeReceive.crw => \??\c:\users\admin\pictures\RevokeReceive.crw.ol215llee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File renamedC:\Users\Admin\Pictures\SearchWait.crw => \??\c:\users\admin\pictures\SearchWait.crw.ol215llee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File renamedC:\Users\Admin\Pictures\StepRegister.crw => \??\c:\users\admin\pictures\StepRegister.crw.ol215llee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File renamedC:\Users\Admin\Pictures\SwitchPush.crw => \??\c:\users\admin\pictures\SwitchPush.crw.ol215llee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File renamedC:\Users\Admin\Pictures\GetSet.png => \??\c:\users\admin\pictures\GetSet.png.ol215llee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
  • Loads dropped DLL
    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exesvchost.com

    Reported IOCs

    pidprocess
    880ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    880ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    268ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    880ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    284svchost.com
    284svchost.com
    284svchost.com
    284svchost.com
    284svchost.com
    284svchost.com
    284svchost.com
    880ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Drops desktop.ini file(s)
    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\c:\users\admin\favorites\links\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\public\recorded tv\sample media\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\program files (x86)\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\admin\downloads\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\public\pictures\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\public\music\sample music\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\public\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\public\videos\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\admin\searches\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\public\music\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\public\recorded tv\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\public\pictures\sample pictures\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\admin\desktop\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\admin\favorites\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\admin\links\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\admin\videos\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\admin\music\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\admin\favorites\links for united states\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\public\videos\sample videos\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\admin\contacts\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\admin\pictures\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\admin\saved games\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\public\desktop\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\public\downloads\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\program files\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\admin\documents\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\public\documents\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\users\public\libraries\desktop.iniee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
  • Enumerates connected drives
    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\K:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\M:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\N:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\U:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\H:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\J:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\T:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\V:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\Z:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\A:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\F:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\L:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\S:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\W:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\X:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\Y:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\B:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\E:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\G:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\I:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\O:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\P:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\Q:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\R:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened (read-only)\??\D:ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
  • Drops file in System32 directory
    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\CatRoot2\dberr.txtee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
  • Sets desktop wallpaper using registry
    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cgm.bmp"ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
  • Drops file in Program Files directory
    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exesvchost.comee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\misc.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\setup_wm.exesvchost.com
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpshare.exesvchost.com
    File opened for modification\??\c:\program files\EnableTrace.potee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmplayer.exesvchost.com
    File opened for modification\??\c:\program files\DismountCheckpoint.wmaee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exesvchost.com
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\misc.exesvchost.com
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\program files\ConvertAdd.mhtmlee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exesvchost.com
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmprph.exesvchost.com
    File opened for modification\??\c:\program files\WatchSearch.rmee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exesvchost.com
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSOUC.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXEsvchost.com
    File created\??\c:\program files\ol215ll-readme.txtee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\program files\EnableFind.jtxee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmlaunch.exesvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\WMPDMC.exesvchost.com
    File opened for modificationC:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\WINDOW~1\wabmig.exesvchost.com
    File opened for modificationC:\PROGRA~2\WINDOW~1\WinMail.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\program files\UnprotectUpdate.xmlee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\OIS.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\XLICONS.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\WI4223~1\sidebar.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\WINDOW~4\ImagingDevices.exesvchost.com
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ieinstal.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\iexplore.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\GRAPH.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXEsvchost.com
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXEee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File created\??\c:\program files (x86)\ol215ll-readme.txtee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\program files\CloseWait.xlsxee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modification\??\c:\program files\ReceiveResolve.isoee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\PROGRA~2\Google\Update\DISABL~1.EXEsvchost.com
  • Drops file in Windows directory
    svchost.comee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\svchost.comsvchost.com
    File opened for modificationC:\Windows\svchost.comee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    File opened for modificationC:\Windows\directx.syssvchost.com
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1684vssadmin.exe
  • Modifies registry class
    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
  • Modifies system certificate store
    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734\Blob = 030000000100000014000000247106a405b288a46e70a0262717162d0903e734140000000100000014000000b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea0400000001000000100000001a9a69a81f6da92d87f7694e16d8b8790f00000001000000300000009e9609372f45b5101548e8af9a20e0dbf5932dea9b9af86759c2029bc3b53e306e6491f6b15bf00b1e2dee3bb8d43d2219000000010000001000000043e6fa09a3b9d0de6fbe3aacd184c8fd180000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000ed050000308205e9308203d1a003020102021005e4dc3b9438ab3b8597cba6a19850e3300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3134303931323030303030305a170d3234303931313233353935395a305f310b3009060355040613024652310e300c060355040813055061726973310e300c060355040713055061726973310e300c060355040a130547616e64693120301e0603550403131747616e6469205374616e646172642053534c204341203230820122300d06092a864886f70d01010105000382010f003082010a028201010094042da6799574ffd5003cf5aed894b1297cc08f0b0b89b98283976e3728f5a21acfd2920b9ba8d387947384109fdc35cbc22d92ac21b9cb3bfc40c1c18321f0bff8f69cfa9c8210c0d08e4ee50d4cb0915c90b4a4405116dae484122d055ca11f17192451aa7aeae1071b868d0172f2e7d48323399ee0e14c1f6b22a3b41066b0ed8296d76e6ab4f23fb542fcdd8ab5abba2d1d3a759b31dc3e9dac5bd3410d6cb01bf53af579ea21a2f8f433524b242d1ea499b16d48bcb812fe72707cf7fb0275f48dded6dac0a0321a52df386b2e45383f3f049600fda1f4a2bbd517d6277c1b5859955e8a12fd9cab813e52284851856bf391b2863f29b56e0362eed6050203010001a382017530820171301f0603551d230418301680145379bf5aaa2b4acf5480e1d89bc09df2b20366cb301d0603551d0e04160414b390a7d8c9af4ecd613c9f7cad5d7f41fd6930ea300e0603551d0f0101ff04040302018630120603551d130101ff040830060101ff020100301d0603551d250416301406082b0601050507030106082b0601050507030230220603551d20041b3019300d060b2b06010401b2310102021a3008060667810c01020130500603551d1f044930473045a043a041863f687474703a2f2f63726c2e7573657274727573742e636f6d2f55534552547275737452534143657274696669636174696f6e417574686f726974792e63726c307606082b06010505070101046a3068303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f555345525472757374525341416464547275737443412e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d01010c050003820201005867fd72b26ad77c6196197ed94346d1267dc853fa66b06b2da7d3aa56f73a88d03b72c950fdf759b2aa68f58c7303bb956517ce2f1cdd9813a291c9eea1406e3c98d65cf3b2223c2dee1ba4e1de202416f28c1173913af6face240287ca93ecb4b6c81617c572fc2740f613fe93a69d51ef3c2bd877579b8c653a352536b7b58a636f072793b1608d80db96d47a8f2dab1c88c96e7ed6651faf5dca163f2846dca035e5f9e9e5d596880c4fc6b77767488427b61fb068dbacbf77b090b8a2c91c325d02ba2543814247bbd8e18f0c0c465fee46336b031482d37ecd8faf90d68e247d4042b46a6a17c69597e1f238cda7edb4274093df72a9b8c666633738642230a23bf1b9c87bc8fb293aab1a72d206124ef682d4236f3ec393e5d8b6c0dedc2316d61330b7a09a0e2c5506007001cfea391d80db88f7a520b85bfd3126698f2d0a61833a47a613542c1ee3ed44cabc6a1f280e51d9de0e9f75cd0e0395caf9c5a92a2dfe41a4a147ae0dc2f93966334a5be18428596c7d941776e44582ad7020fdd26f63a8d7faa033fa37cbf7b2659eda506f3fe4a7f38e5d58329770232ee7fdc4159b9c278f32ed17ad58813129111a9bd4fc6c9528c74e0507a6fd1dbc19e2e8b7b9118a2d701252858d8c334a0ffc9992e06370daa594476307e758c7315f053d3655fe83b2e8a6add7e9e6027488745cda34db90d26d510a23d623ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986eee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    Key created\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184Cee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956ddeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    Key created\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\247106A405B288A46E70A0262717162D0903E734ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
  • Suspicious behavior: EnumeratesProcesses
    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

    Reported IOCs

    pidprocess
    268ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege1556vssvc.exe
    Token: SeRestorePrivilege1556vssvc.exe
    Token: SeAuditPrivilege1556vssvc.exe
  • Suspicious use of WriteProcessMemory
    ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exesvchost.comcmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 880 wrote to memory of 268880ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    PID 880 wrote to memory of 268880ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    PID 880 wrote to memory of 268880ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    PID 880 wrote to memory of 268880ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exeee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    PID 268 wrote to memory of 284268ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exesvchost.com
    PID 268 wrote to memory of 284268ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exesvchost.com
    PID 268 wrote to memory of 284268ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exesvchost.com
    PID 268 wrote to memory of 284268ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exesvchost.com
    PID 284 wrote to memory of 2032284svchost.comcmd.exe
    PID 284 wrote to memory of 2032284svchost.comcmd.exe
    PID 284 wrote to memory of 2032284svchost.comcmd.exe
    PID 284 wrote to memory of 2032284svchost.comcmd.exe
    PID 2032 wrote to memory of 16842032cmd.exevssadmin.exe
    PID 2032 wrote to memory of 16842032cmd.exevssadmin.exe
    PID 2032 wrote to memory of 16842032cmd.exevssadmin.exe
    PID 2032 wrote to memory of 16842032cmd.exevssadmin.exe
Processes 7
  • C:\Users\Admin\AppData\Local\Temp\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
    "C:\Users\Admin\AppData\Local\Temp\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe"
    Modifies system executable filetype association
    Loads dropped DLL
    Drops file in Program Files directory
    Drops file in Windows directory
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:880
    • C:\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe"
      Executes dropped EXE
      Modifies extensions of user files
      Loads dropped DLL
      Drops desktop.ini file(s)
      Enumerates connected drives
      Drops file in System32 directory
      Sets desktop wallpaper using registry
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\svchost.com
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        PID:284
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\System32\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
          Suspicious use of WriteProcessMemory
          PID:2032
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin.exe Delete Shadows /All /Quiet
            Interacts with shadow copies
            PID:1684
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    PID:668
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1556
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Privilege Escalation
              Replay Monitor
              00:00 00:00
              Downloads
              • C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

                MD5

                02ee6a3424782531461fb2f10713d3c1

                SHA1

                b581a2c365d93ebb629e8363fd9f69afc673123f

                SHA256

                ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

                SHA512

                6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

              • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

                MD5

                cf6c595d3e5e9667667af096762fd9c4

                SHA1

                9bb44da8d7f6457099cb56e4f7d1026963dce7ce

                SHA256

                593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

                SHA512

                ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

              • C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

                MD5

                58b58875a50a0d8b5e7be7d6ac685164

                SHA1

                1e0b89c1b2585c76e758e9141b846ed4477b0662

                SHA256

                2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

                SHA512

                d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

              • C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

                MD5

                566ed4f62fdc96f175afedd811fa0370

                SHA1

                d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

                SHA256

                e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

                SHA512

                cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

              • C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

                MD5

                3ec4922dbca2d07815cf28144193ded9

                SHA1

                75cda36469743fbc292da2684e76a26473f04a6d

                SHA256

                0587fd366ea7e94b3ae500874b1c5d684b5357fcc7389682d5a13c3301a28801

                SHA512

                956c3a1f2689cb72600edd2e90d652b77592a8a81d319dce026e88f6c02231af06aebd57d68460eb406de00c113522173423cb1b339a41a3918f379c7dc311f7

              • C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

                MD5

                e1833678885f02b5e3cf1b3953456557

                SHA1

                c197e763500002bc76a8d503933f1f6082a8507a

                SHA256

                bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

                SHA512

                fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

              • C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe

                MD5

                034978c5262186b14fd7a2892e30b1cf

                SHA1

                237397dd3b97c762522542c57c85c3ff96646ba8

                SHA256

                159776d43dd2a8d843b82ece0faf469f9088a625d474ce4eea9db59d94a844e6

                SHA512

                d216e757616121d9902b0db2669b6e2aa9eb2697427c9ea2804ebda9690abbf9219c6e603d63ff19dc6115a072985ca862499b5f8319ca057a16e81aec9ea949

              • C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE

                MD5

                58b58875a50a0d8b5e7be7d6ac685164

                SHA1

                1e0b89c1b2585c76e758e9141b846ed4477b0662

                SHA256

                2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

                SHA512

                d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

              • C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE

                MD5

                a8dadf93b223cb3c075204b0bd38c9c6

                SHA1

                41c4cf4e60dd6b2b3a09085af3f62f21914eba5b

                SHA256

                0b9faeceb83cfb2cbb2b04a5dc719288355ad3a221f4b413bc1a1d1bc5e335e0

                SHA512

                5d750b4ea23292859dda58dc81b82f234f00d0968f088e38353dd574caa43b4bd2f954750eb5135a20a8e934c7c12bd13c9badb653afc9483594b5f877c97031

              • C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE

                MD5

                b19c2fa49e278935e6a3087fdd0da46e

                SHA1

                04a5de16b6840a8fe68753028bd2ff20381ed720

                SHA256

                c70151fc7fb7d461ba596455bfc7e79e199a3c0ac766c5d67f9347b39e20b7b9

                SHA512

                0399a45ee6a87d5899020d4106bc6ff521285b34c61afcd4929b6274166f7585c01749a1ee1814e82c90a5d8deb1dfa28bde6b105029f74d33f7a3e848d0dc39

              • C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE

                MD5

                8acc19705a625e2d4fa8b65214d7070a

                SHA1

                ad16e49369c76c6826a18d136bf9618e8e99ec12

                SHA256

                3fb179a3ae88a3d14db48de29d4b9d43243b80b2118b578b8117ad776ce47f12

                SHA512

                92e22275194b5a73d825e1e7ad5a5cb5649d3679f545f88328aa72e39c161c4d797b7b3462e590edf546ddbd53c1508a49056f50fa63b113134e1bdc7d977dec

              • C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE

                MD5

                7a4edc8fb7114d0ea3fdce1ea05b0d81

                SHA1

                02ecc30dbfab67b623530ec04220f87b312b9f6b

                SHA256

                ff16fdc703e55ddfe5ee867f343f3b20b496e7199c6c4b646335a01026f74550

                SHA512

                39519685b1dd872008abfa967f79fd3b7a5e6f6ee1b9c3de891aae64490b2d0feb56bcd3f5dab4527d2c6d07646db5966028df153f38a1c09ee88a1ba9a1ef44

              • C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE

                MD5

                08ee3d1a6a5ed48057783b0771abbbea

                SHA1

                ebf911c5899f611b490e2792695924df1c69117d

                SHA256

                3f6decd82b72a5ba1ee224b52d9fbd6486be22a0b855e28eaad47ae92df266f0

                SHA512

                1711d023c60d4b047d553a654797bc3a2eecd951b310698c1a2c549e136c33f55e0fc1167a4a38f793b7796f7cfc3fb30017935127b147a21da2812eb38faac5

              • C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE

                MD5

                2d1b4a44f1f9046d9d28e7e70253b31d

                SHA1

                6ab152d17c2e8a169956f3a61ea13460d495d55e

                SHA256

                d1d73220342ff51a1514d2354654c6fcaedc9a963cb3e0a7e5b0858cfc5c5c7d

                SHA512

                dd8f5e343417a3e131b3362f1aecaf9ce0f8a55c9f90aa3b7e55b6ddb6c5f4e06b3e76a7f4481fa13e2f325ab2490553f6977178acf7c486c7315755c05fc7c3

              • C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE

                MD5

                525f8201ec895d5d6bb2a7d344efa683

                SHA1

                a87dae5b06e86025abc91245809bcb81eb9aacf9

                SHA256

                39a089d363b15c37cca9f747a17e89ad1dbe0bc86ff23466526beaa5e36d6d4b

                SHA512

                f0a2070f11eb3f0bdf996ada42becc7710aab76e84268e5cdbbd9ecbf13ef5fb85b52b6227711137a9c511f8d731b018530cbf1935f8fcfd61ff2ef6c1348d63

              • C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE

                MD5

                61631e66dbe2694a93e5dc936dd273be

                SHA1

                b1838b8ca92fa5ca89e1108ceb2630a6ecd2b8c2

                SHA256

                5811b7b694d99c703b4c4bc72d6b7d846d05b2b0f45a7e3e4279cdb6fd81265f

                SHA512

                323463c267ccdb701d5967198f4f72158056f5a6e889c47bf19d1a670233ab071a5fe8c108430beb67753b77af1c59028007101a8e1266618fe91fa0127b4dcf

              • C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE

                MD5

                9b1c9f74ac985eab6f8e5b27441a757b

                SHA1

                9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

                SHA256

                2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

                SHA512

                d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

              • C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE

                MD5

                5ae9c0c497949584ffa06f028a6605ab

                SHA1

                eb24dbd3c8952ee20411691326d650f98d24e992

                SHA256

                07dd9364be7babc5f9a08f0ccd828a9a55137845df1782b147f12943f234ea4e

                SHA512

                2e99bb500c281c367cc54fa283905b2537905ea4fe8986f676adbb1aaf58460dd2db082bb46a3dbe9dc836fbae3ee8832990839432dd99c74de58cc9b9295788

              • C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE

                MD5

                fc87e701e7aab07cd97897512ab33660

                SHA1

                65dcd8e5715f2e4973fb6b271ffcb4af9cefae53

                SHA256

                bb1814297615d6b22fa20ee4f8613c8bc9fa67d93cb7fe032f46f377569e2f46

                SHA512

                b03e3b3f7b0f11b85757d8bf5678542f4281407e95cf8e074da4ddc421c217fcfaf23cc927ccd0bbca2891a424b2d3565072aba6406dc46c2fa1fdba7a249eec

              • C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE

                MD5

                93766da984541820057ae0ab3d578928

                SHA1

                ea19a657c6b1b5eb5accc09c45dcf04f063151c3

                SHA256

                ad3a9f7beaaea0bc49a7ccba83198cfb2882d462441203684076695b0ef6c514

                SHA512

                e14c86e13ab79fa9b9eb1a05d69764d522c4acfab7742c200080b215bb3bc31ec7f3dd2abf44cbc996d2e58a0ca1990b18ab055b232b243fe61b5fb018a9b719

              • C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

                MD5

                f2056a3543ba9b6b6dde4346614b7f82

                SHA1

                139129616c3a9025a5cb16f9ad69018246bd9e2d

                SHA256

                2bab7d64d5327ca21ffd13df88b30431d0b8c0dd6cad8f4bb4db33eeb2b37d1e

                SHA512

                e11d1c65e046a0a6817cec4d17df1b7f5849fdb5b95527fdef78f0c433294fd2186037116a581ec3a66b07f1ab75cd8e60e408005cd64bc5eacc61a582da0942

              • C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

                MD5

                e7d2d4bedb99f13e7be8338171e56dbf

                SHA1

                8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

                SHA256

                c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

                SHA512

                2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

              • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

                MD5

                f6636e7fd493f59a5511f08894bba153

                SHA1

                3618061817fdf1155acc0c99b7639b30e3b6936c

                SHA256

                61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33

                SHA512

                bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

              • C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

                MD5

                3e8de969e12cd5e6292489a12a9834b6

                SHA1

                285b89585a09ead4affa32ecaaa842bc51d53ad5

                SHA256

                7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf

                SHA512

                b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e

              • C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE

                MD5

                a49eb5f2ad98fffade88c1d337854f89

                SHA1

                2cc197bcf3625751f7e714ac1caf8e554d0be3b1

                SHA256

                99da2b7f53a43e0bc01bb52715a37fa87c7f328b4dfac747d7a152ea22e88449

                SHA512

                4649049a63ce1dfafb632a5b396181bf7fce6364a548660483722329eea13ec0f7df7d7a5c3104e97a1c0f201597fd27d6a1435942a1c1573db2706733aae593

              • C:\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

                MD5

                d0190f94e6d05104977c53b55dbc2911

                SHA1

                c0ff002b0e26b180a741c3cefff15190df7746cc

                SHA256

                f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69

                SHA512

                d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868

              • C:\Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

                MD5

                d0190f94e6d05104977c53b55dbc2911

                SHA1

                c0ff002b0e26b180a741c3cefff15190df7746cc

                SHA256

                f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69

                SHA512

                d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868

              • C:\Windows\svchost.com

                MD5

                36fd5e09c417c767a952b4609d73a54b

                SHA1

                299399c5a2403080a5bf67fb46faec210025b36d

                SHA256

                980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

                SHA512

                1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

              • C:\Windows\svchost.com

                MD5

                36fd5e09c417c767a952b4609d73a54b

                SHA1

                299399c5a2403080a5bf67fb46faec210025b36d

                SHA256

                980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

                SHA512

                1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

              • \PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe

                MD5

                e1833678885f02b5e3cf1b3953456557

                SHA1

                c197e763500002bc76a8d503933f1f6082a8507a

                SHA256

                bd9a16d8d7590a2ec827913db5173f8beb1d1ef44dab1920ef52a307f922bc14

                SHA512

                fe107e1c8631ec6ac94f772e6a7be1fdc2a533fe3cfcf36b1ff018c8d01bd7f1f818f0a2448f736838c953cd516ea7327c416dea20706ed2420327af8ef01abe

              • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

                MD5

                9e2b9928c89a9d0da1d3e8f4bd96afa7

                SHA1

                ec66cda99f44b62470c6930e5afda061579cde35

                SHA256

                8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

                SHA512

                2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

              • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

                MD5

                9e2b9928c89a9d0da1d3e8f4bd96afa7

                SHA1

                ec66cda99f44b62470c6930e5afda061579cde35

                SHA256

                8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

                SHA512

                2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

              • \PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe

                MD5

                034978c5262186b14fd7a2892e30b1cf

                SHA1

                237397dd3b97c762522542c57c85c3ff96646ba8

                SHA256

                159776d43dd2a8d843b82ece0faf469f9088a625d474ce4eea9db59d94a844e6

                SHA512

                d216e757616121d9902b0db2669b6e2aa9eb2697427c9ea2804ebda9690abbf9219c6e603d63ff19dc6115a072985ca862499b5f8319ca057a16e81aec9ea949

              • \PROGRA~2\MICROS~1\Office14\ONENOTE.EXE

                MD5

                08ee3d1a6a5ed48057783b0771abbbea

                SHA1

                ebf911c5899f611b490e2792695924df1c69117d

                SHA256

                3f6decd82b72a5ba1ee224b52d9fbd6486be22a0b855e28eaad47ae92df266f0

                SHA512

                1711d023c60d4b047d553a654797bc3a2eecd951b310698c1a2c549e136c33f55e0fc1167a4a38f793b7796f7cfc3fb30017935127b147a21da2812eb38faac5

              • \PROGRA~2\MICROS~1\Office14\PPTICO.EXE

                MD5

                525f8201ec895d5d6bb2a7d344efa683

                SHA1

                a87dae5b06e86025abc91245809bcb81eb9aacf9

                SHA256

                39a089d363b15c37cca9f747a17e89ad1dbe0bc86ff23466526beaa5e36d6d4b

                SHA512

                f0a2070f11eb3f0bdf996ada42becc7710aab76e84268e5cdbbd9ecbf13ef5fb85b52b6227711137a9c511f8d731b018530cbf1935f8fcfd61ff2ef6c1348d63

              • \PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE

                MD5

                9b1c9f74ac985eab6f8e5b27441a757b

                SHA1

                9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

                SHA256

                2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

                SHA512

                d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

              • \PROGRA~2\MICROS~1\Office14\XLICONS.EXE

                MD5

                93766da984541820057ae0ab3d578928

                SHA1

                ea19a657c6b1b5eb5accc09c45dcf04f063151c3

                SHA256

                ad3a9f7beaaea0bc49a7ccba83198cfb2882d462441203684076695b0ef6c514

                SHA512

                e14c86e13ab79fa9b9eb1a05d69764d522c4acfab7742c200080b215bb3bc31ec7f3dd2abf44cbc996d2e58a0ca1990b18ab055b232b243fe61b5fb018a9b719

              • \PROGRA~2\MOZILL~1\MAINTE~1.EXE

                MD5

                f2056a3543ba9b6b6dde4346614b7f82

                SHA1

                139129616c3a9025a5cb16f9ad69018246bd9e2d

                SHA256

                2bab7d64d5327ca21ffd13df88b30431d0b8c0dd6cad8f4bb4db33eeb2b37d1e

                SHA512

                e11d1c65e046a0a6817cec4d17df1b7f5849fdb5b95527fdef78f0c433294fd2186037116a581ec3a66b07f1ab75cd8e60e408005cd64bc5eacc61a582da0942

              • \Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

                MD5

                d0190f94e6d05104977c53b55dbc2911

                SHA1

                c0ff002b0e26b180a741c3cefff15190df7746cc

                SHA256

                f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69

                SHA512

                d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868

              • \Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

                MD5

                d0190f94e6d05104977c53b55dbc2911

                SHA1

                c0ff002b0e26b180a741c3cefff15190df7746cc

                SHA256

                f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69

                SHA512

                d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868

              • \Users\Admin\AppData\Local\Temp\3582-490\ee75b4b93ee55444163a282c06c6d7a87ff2c520f4923a88df5d9eea1547bbf9.exe

                MD5

                d0190f94e6d05104977c53b55dbc2911

                SHA1

                c0ff002b0e26b180a741c3cefff15190df7746cc

                SHA256

                f4e5d7a95681d920dda75fe5dd89be249905e2a7712f9b3b39e19351f5ef5e69

                SHA512

                d4b1cc032f9d8254ac6035c27948147d8c4c5f60be51e632ba26c6e34ada87515b3113b4bd1cec3cedfa1a73c465a1267681ca05356d8f2f08d81c4fef04d868

              • memory/880-55-0x0000000075B11000-0x0000000075B13000-memory.dmp